[Pkg-nginx-maintainers] Bug#1137339: nginx: CVE-2026-9256
Salvatore Bonaccorso
carnil at debian.org
Fri May 22 20:38:12 BST 2026
Source: nginx
Version: 1.30.1-2
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for nginx.
CVE-2026-9256[0]:
| NGINX Plus and NGINX Open Source have a vulnerability in the
| ngx_http_rewrite_module module. This vulnerability exists when a
| rewrite directive uses a regex pattern with distinct, overlapping
| Perl-Compatible Regular Expression (PCRE) captures (for example,
| ^/((.*))$) and a replacement string that references multiple such
| captures (for example, $1$2) in a redirect or arguments context. An
| unauthenticated attacker along with conditions beyond their control
| can exploit this vulnerability by sending crafted HTTP requests.
| This may cause a heap buffer overflow in the NGINX worker process
| leading to a restart. Additionally, attackers can execute code on
| systems with Address Space Layout Randomization (ASLR) disabled or
| when the attacker can bypass ASLR. Note: Software versions which
| have reached End of Technical Support (EoTS) are not evaluated.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-9256
https://www.cve.org/CVERecord?id=CVE-2026-9256
[1] https://github.com/nginx/nginx/commit/3f135ae2eb60ce376196c898a6c7cb4d774f7068
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-nginx-maintainers
mailing list